top of page


Updated: Jun 11, 2023

This CPPA regulations, however, significantly change the CCPA rules that had been in effect prior to March 29.

The list below is not a comprehensive list, but provides some insight into the scope of changes:

  • Collection and Use of Personal Information (PI). The regulations provide additional rules on when a business’s collection, use, retention, and/or sharing of consumer PI is “reasonably necessary and proportionate” to achieve (1) the purpose for which the PI was collected or processed or (2) another disclosed purpose that is “compatible with the context” in which the PI was collected.

  • Disclosures and Communications to Consumers. The regulations create additional requirements for how notices are provided to consumers, which includes including formatting and accessibility requirements.

  • Consumer Consent. CPPA require businesses to avoid choice architecture that impairs or interferences with the consumer’s ability to make a choice. The use of dark patterns to obtain consent is forbidden and provide several factors to consider in determining whether a choice architecture is a dark pattern

  • Notice at Collection. The regulations adjust the notice at collection requirement to account for more than one business collecting PI. The regulations acknowledge that more than one business may control the collection of a consumer’s PI. If multiple parties are controlling the collection, all parties must provide a notice of collection, but this requirement can be satisfied by a single notice about their collective “Information Practices,” which the rules define.

  • Alternative Opt-Out Link. The regulations permit businesses to use a single link to allow users to both opt out of selling and sharing and exercise their right to limit the use of sensitive PI.

  • Sensitive PI. The regulations provide consumers with the ability to limit the use and disclosure of sensitive PI to that which is “necessary to perform the services or provide the goods reasonably expected by an average consumer.” Sensitive PI that is collected or processed without the purpose of inferring characteristics about a consumer from requests to limit use is exempt from this obligation.

  • Opt-Out Preference Signals. The regulations require businesses to process opt-out preference signals that meet certain technical requirements. These signals would allow a consumer to exercise their right to opt out of the selling and sharing of PI.

  • Contracts. The regulations include new requirements for contracts between service providers and contractors, as well as contracts between businesses and third parties.

  • Agency Audits. The regulations provide the CPPA with the authority to audit businesses, service providers, contractors, or other persons. These audits “may be announced or unannounced.”

Th act comes to force on July 1, 2023

Find the full text of the act here:

13 views0 comments


bottom of page